Threat entity extracted from intelligence sources
A new variant of the ClayRat Android spyware has been identified, capable of full device takeover. Initially discovered in October 2025, this spyware targets Russian users and has expanded its capabilities to include extensive surveillance and control functions. The latest version combines Default SMS privileges with Accessibility Services to exfiltrate sensitive data and manipulate infected devices.
The North Korea-linked FlexibleFerret malware has been updated to enhance its stealth and persistence on macOS systems. The new attack chain includes a second-stage shell script that fetches payloads based on the system architecture and utilizes a Go-based backdoor to maintain long-term access while bypassing user safeguards.
Over 3,000 YouTube videos were removed by Google for distributing password-stealing malware disguised as cracked software. The operation, identified as the 'YouTube Ghost Network,' utilized compromised accounts to post videos that misled users into downloading infostealers like Rhadamanthys and Lumma. This malware campaign has been active since 2021 and has significantly increased its output in 2025.
In 2025, Check Point Research identified a malware distribution network on YouTube, dubbed the 'YouTube Ghost Network.' This operation utilized compromised accounts and social engineering tactics to spread information-stealing malware disguised as free software, affecting users seeking legitimate content. Google has since removed over 3,000 videos linked to this malicious activity.